Audit Log Events in Confluence
This page outlines the auditing events available in Confluence Server and Data Center, and which events fall into each coverage level.
For more information about how auditing works, see Auditing in Confluence.
On this page
Definitions
Coverage area
A coverage area is a grouping of events related to a similar theme.
Category
A category is a grouping of related events. Categories can belong to multiple coverage areas.
Category names change over time. You may find your audit log contains some categories not described on this page. These are usually associated with events logged prior to Confluence 7.5.
Coverage level
Coverage levels allow you to control which events are logged. Some levels are only available with a Data Center license.
Global configuration and administration
Category: Global administration
Coverage level | Events logged |
---|---|
Base | Mail server created |
Advanced | Mobile apps configuration updated Read-only mode configuration changed Banner configuration changed Collaborative editing mode changed Synchrony restarted Mail queue flushed Mail queue: error queue re-sent Mail queue: error queue deleted Allowlist turned on Allowlist turned off Allowlist URL added Allowlist URL removed Allowlist URL updated Security configuration updated Application navigator link added Application navigator link removed Application navigator link updated Scheduled job enabled Scheduled job disabled Scheduled job edited Scheduled job run manually Application link created Application link edited Application link removed Rate limiting settings updated Rate limiting exemption added Rate limiting exemption removed Rate limiting exemption edited CDN configuration |
Full | No events |
Category: Apps
Coverage level | Events logged |
---|---|
Base | App installed App uninstalled App enabled App disabled App module enabled App module disabled |
Advanced | No events |
Full | No events |
Category: Page templates
Coverage level | Events logged |
---|---|
Base | Page template updated Page template created Page template deleted |
Advanced | No events |
Full | No events |
User management
Category: Users and groups
Coverage level | Events logged |
---|---|
Base | User created User deleted User renamed User details updated User requested password reset Group created Group deleted User added to group User removed from group User directory created User directory deleted User directory updated |
Advanced | User was invited to join site |
Full | No events |
Permissions
Category: Permissions
Coverage level | Events logged |
---|---|
Base | Space permission removed Space permission added Global permission removed Global permission added |
Advanced | No events |
Full | No events |
Local configuration and administration
Category: Pages and blogs
Coverage level | Events logged |
---|---|
Base | Page hierarchy copy started Page hierarchy delete started |
Advanced | No events |
Full | No events |
Category: Import / export
Coverage level | Events logged |
---|---|
Base | Space import Space export Space exported to PDF |
Advanced | No events |
Full | No events |
Category: Spaces
Coverage level | Events logged |
---|---|
Base | Space created Space deleted Space archived Space unarchived Space trash emptied Space logo uploaded Space logo enabled Space logo disabled Space logo deleted Unknown update to space logo Space configuration updated |
Advanced | No events |
Full | No events |
Security
Category: Auditing
Coverage level | Events logged |
---|---|
Base | Audit log search performed Audit log exported Audit log configuration updated |
Advanced | No events |
Full | No events |
Category: Authentication
Coverage level | Events logged |
---|---|
Base | No events |
Advanced | Secure admin access granted Secure admin access request failed Secure admin access dropped User authorized external application access via OAuth tokens User de-authorized external application access via OAuth token User login failed* |
Full | User login successful User logout |
*We only track User login failed events if the authentication does not involve a redirect to an external identity provider. If a user tries to log in using SSO and fails, this event will not be logged. Most identity providers track these events in their own audit logs.
Category: Users and groups
Coverage level | Events logged |
---|---|
Base | No events |
Advanced | Forgot password feature triggered Forgot password feature triggered for unknown user |
Full | No events |
Category: Security
Coverage level | Events logged |
---|---|
Base | No events |
Advanced | User tried to access restricted page |
Full | No events |
End user activity
DATA CENTER ONLY
Category: Pages and blogs
Coverage level | Events logged |
---|---|
Base | No events |
Advanced | Blog post edit restriction added |
Full | Page created |
Note: The Search performed event records the search terms entered in search, advanced search, and in search macros (such as Livesearch and Page Tree Search). If you don't want to collect this data you can disable this event using the audit.log.search.disabled
system property.
Category: Import / export
Coverage level | Events logged |
---|---|
Base | No events |
Advanced | Page exported to PDF Blog post exported to PDF Page exported to Word Blog post exported to Word |
Full | No events |
Category: Data pipeline
Coverage level | Events logged |
---|---|
Base | Full data export cancelled Full data export triggered Unauthorized full data export triggered Full data export failed |
Advanced | No events |
Full | No events |